Rick van Rein

Tue 08 April 2014


April 8th, 2014: SNI everywhere

Since support for XP is ending soon, and because IE on XP was the only realistic platform that fails to send SNI alongside its web requests, we can assume that SNI is everywhere. Or at least, that is a safe assumption from April 8th, 2014 -- when IE on XP is officially acknowledged by its source as an insecure browser. (Others have said the same thing for much longer already.) So it is not unlogical to stop supporting browsers without SNI.


Practical Solution

Support for XP is ending soon. The practical solution to this problem is to use the Server Name Indication to switch TLS connections. Since this is sent before encryption starts, this can be done by a fairly simple utility that reads out this extension, and forwards the TLS-connection as a whole to its proper destination. Since this means connecting two TCP connections, it is even possible to crossover from an external IPv4-based port 443 and relay traffic to an IPv6 address.

The solution is coded into a simple tool named SNItch. This tool is configured with a label (the server name from the TLS extension) and where to forward it to. You run it as a daemon on the place where your web traffic comes in, and you relay the traffic. You can decide whether to setup IPv6 for direct web server contact (in DNS and firewalls) or whether you prefer a single entry point for all your web traffic, IPv4 and IPv6 alike.

Go Top